Microsoft Shows Off Experimental Designs for OS and Browser

Threats from Web applications are behind both ServiceOS and Gazelle browser

11 August 2009—This week, computer scientists from Microsoft Research will unveil a new design for an operating system and a browser built to withstand the growing security threats of the Web. Though the projects—ServiceOS and the Gazelle Web browser—are far from becoming commercial products, they provide insight into how Microsoft views the evolution of PC software.

Helen Wang, a senior researcher, will present two papers on the designs at the USENIX Security Symposium this week. Wang says her work and the work of her colleagues is intended to address a “paradigm shift” in how PCs are used. People are increasingly dependent on their digital devices, and they are much more likely to use Web applications for everything from office chores to shopping, she explains.

But flaws in the architecture of both operating systems and browsers make this shift in behavior dangerous. The computer code for Web applications is not only easily compromised, it can also serve as a bridge to valuable data on someone’s computer. Most ordinary Web surfers don’t realize that when they log in to their bank’s Web site while chatting on Facebook and answering Yahoo mail, the applications are not protected from one another. So a bug in Facebook can infect the application that’s paying the bills. Because the Web applications also have direct access to the operating system, an application gone rogue can also rummage through a person’s files and send out data over the Internet.

Even if a software program running in the browser isn’t infected with malicious code, it can still cause problems by hogging system resources, Wang says. For example, a misbehaving Web advertisement can monopolize processing power, memory, and network bandwidth.

To fix these problems, Wang proposes rethinking both the operating system and the browser. The architecture of most operating systems, including Windows and Linux, harks back to the era when multiple users shared a single mainframe computer. The systems were constructed so that people couldn’t access one another’s data, and an application being used by Alice wouldn’t interfere with another being used by Bob.

Wang says that instead of protecting people, the operating system should protect applications from one another. She and her colleagues have developed ServiceOS, a new operating system that manages security policies and resource allocation and exists as a small layer of code between Web applications and traditional operating systems, like Windows. For example, ServiceOS could decide that Facebook can send data only back to Facebook or that Adobe’s Flash cannot access any files.

“A lot of basic functionality in today’s operating system is sound,” Wang says. “We don’t need to reinvent the wheel.”

The Gazelle Web browser, which is also being developed by Wang and her colleagues, will implement the security policies set by ServiceOS, isolating different applications from one another. What’s special about Gazelle, Wang says, is that “it is the first browser that is built with an operating system mentality.”

In an improvement on Microsoft Internet Explorer and other state-of-the-art browsers, Gazelle also prevents compromised applications from drawing over other parts of a Web page when it is displayed in the browser.

In contrast, Google Chrome prevents Web pages only from drawing outside their content area, says Adam Barth, a postdoctoral fellow at the University of California, Berkeley, who contributed code to Chrome. “Google Chrome’s security architecture is focused on protecting the user’s computer from malicious Web sites,” he says. “Gazelle takes this approach a step further and aims to protect honest Web sites from malicious Web sites.”

But critics of Gazelle say the browser’s security comes at the expense of compatibility. Sites such as YouTube that run in the browser as plug-ins may not work in Gazelle. Google engineers, who mentioned the plug-in issue in a paper on Google’s Chrome browser, recently announced that they, too, are building a new operating system, which will also be called Chrome. In a recent blog post, they claimed that “all Web-based applications will automatically work” on the new operating system.

Wang acknowledges that her design has compatibility issues. “The plug-in problem is fairly hairy,” she says.

Microsoft computer scientists “are really trying to rearchitect the browser and to build it in a safe way,” says Jeff Williams, chair of the Open Web Application Security Project, a community that is focused on improving the security of application software.

Wang hopes her research will eventually be incorporated into Microsoft’s products. In addition to personal computers, she says, the technology is also appropriate for smartphones and netbooks. For now, however, it’s only a prototype.

About the Author

Elise Ackerman is a technology writer for the San Jose Mercury News , in California. In IEEE Spectrum ’s July 2009 issue, she reported on tests of a communications system that could one day form an interplanetary Internet.